HA remote access with KeenDNS


I have zyxel router (keenetic ultra II) with build in DNS servise - KeenDNS which give you remote access to the router with third-level domains name and any local device with fourth level domain name. Connection is https. So I can accesses to HA authorization page, but after login just “Unable to connect to Home Assistant”.
I can see: “Login attempt or request with invalid authentication from” on front page and nothing in the log.
I tried add to configuration:

  base_url: https://my.domain.keenetic.pro:8123
  api_password: my_password
  ip_ban_enabled: True
  login_attempts_threshold: 10 

But nothing works.
Could someone advise what else I can try?


Remove https:// from your base URL


Thank you for help, but didn’t work . I’m not sure why I need port number, because there is no port number in my link in browser. Port number is set in router. So I tried with and without port.
If there is any type of log I can catch apart of main one?


I catch this exception in Fire fox:
Have on idea about it…


What’s doing your SSL? I don’t see any SSL settings in your config. You either need SSL on home assistant or a reverse proxy running your SSL


From router manual:

By default, remote access to the device over the level 4 domain via the KeenDNS service works like this - you connect to the Internet center via the HTTPS protocol, and then you connect to the local device via the HTTP protocol via the HTTP protocol. Therefore, on the device for which we use the domain name of the 4th level, in its settings should not be excluded the possibility of using an HTTP connection, i.e. so that the option “Use only HTTPS” is not enabled. If you want to access via HTTPS, you can manually get your own certificate for the 4th level domain through the command line interface (CLI)

From router to HA required HTTPS or HTTP is enough?


I am not sure, but can be router providing SSL for lower level?


Only if it’s acting as a reverse proxy


I tried:

base_url: my.domain.keenetic.pro:8123
use_x_forwarded_for: true

Loading match longer but same result. :disappointed_relieved:


Do you understand what a reverse proxy is?

Changing the HA config isn’t going to fix your router…


Not at all :grinning: I need to get SSL certificate and than I can use it with my domain name. Is it correct?


If you want to use https, but if your router doesn’t support the necessary settings for reverse proxy in HA you’ll need to do something else.


I just got reply from manufacture. Router can proxy some ports only:

HTTP: 80, 81, 280, 591, 777, 5080, 8080, 8090 и 65080
HTTPS: 443, 5083, 5443, 8083, 8443 и 65083.

What port is better to use?
Sorry for stupid question, but why HA using 8123 instead of 80 lets say?


You can use any of them.
Use 443 if you don’t want to have to put in a port number when connecting.

Lots of applications use their own ports. Port 80 on a Linux machine is reserved for root only (any port below 1024), and as such would complicate setups, and cause problems.

Forward port 443 to 8123


KeenDNS settings:
domane name: my
Host (local net):
TCP port: 443

Port forwarding:
Input: Provider
Protocol: TCP/443
Destination port: 8123

In result at HA logging page: Error: Something went wrong
And nothing in the log. Is it correct settings?


I understand you want to use your router for this, but I don’t think it is going to work. There are things that HA needs to work with reverse proxies.

As an example, this config contains a few items that most normal reverse proxies do not.

If the settings of the built in reverse proxy are not capable of meeting these requirements, then it simply will not work.


OK. It is more complicated than I thought! Any way than you for help!



Thank you for the input but I cannot actually understand the root cause. My configuration is as follows:

  • HAAS.IO running in local network 192.168.1.X:8123
  • KeenDNS acting as reverse proxy associates 4th level DNS name with local network IP 192.168.1.X:8123
  • KeenDNS uses SSL

If i try to get access through 4th level domain name, remote HAAS.IO installation will respond and I will see the login page.

Having entered correct login, HAAS.IO reports “unable to connect”. Why? There is traffic, but login fails.



There are required settings for it to work, which, if you do not have access to change on your reverse proxy, will not work. I pointed to the documentation which shows the settings for NGINX. Without these settings, and with a standard reverse proxy configuration, NGINX will do the same thing as you describe.

The problem 100% solely lies in the REVERSE PROXY CONFIGURATION, which apparently you don’t have access to.


I am sorry for the stupid question. Is NGNIX included into HASS.IO or additional installation is required?